Mitigation versus Real Security

Of the many different ways of classifying security types, one seems to me to be of increasing importance in how an organization sets up and structures its security. The two types, which we will call mitigation and real for the purpose of this discussion, are important paradigms to distinguish for an organization to accurately allot funds and resources to the proper locations and will enable them to properly understand the effects they wish to achieve before heading out and buying the most expensive security gadget which turns out to be ineffective as the intent of the system was not understood.

Mitigation security (not to be confused with mitigation strategies) focusses on the concept that nothing is secure forever. The aim of this type of security is to present to interested parties, namely insurers, legislators and interested members of the public, that proper precautions were taken to secure that which requires security. In other words, it allows an organization to claim that all that could reasonably be done was in fact done, and a security breach occurred as an extraordinary occurrence which was not reasonably expected. This involves things like physical assets, unencrypted cloud data, product launch details and really anything which tends to be insured against loss or the loss of which, while damaging, will only expose an organization to potential financial loss or exposure to lower level litigation.

Real security on the other hand, is the paradigm which focusses on actual no fail security measures. Failures in security of this type result in real harm, major financial losses and litigation exposure, as well as public backlash and loss of confidence and possible adverse legislation. Organizations involved in this type of security tend to be government agencies, weapons and energy manufacturers and hi-tech organizations. Losses of this type vary, however they tend to involve cutting and bleeding edge technologies, personal and financial data losses, state secrets and significant intellectual property losses.

The difference between choosing one or the other does not need to be mutually exclusive, quite the contrary. Choosing the appropriate paradigm to put into practice in various areas of your organization shows that proper thought has gone into your security plan, and has the benefit of tailoring costs so that proper levels are used where they are needed. This runs contrary to the plans that many security sales folks may identify, however the truth of it is that high security comes down to planning appropriately rather than spending on the most expensive gadgets.

When you begin your planning for security measures, here are a few quick rules I like to use when planning for my clients:

• Start early in the business life cycle. Starting to think about security hen you are still a small to medium business will allow you to think about how your plan can and should evolve as you get bigger
• Establish what effects you want to achieve rather than what you want to secure. This will give you a better understanding of the variables you need to account for
• Consider everything, not just the gates. I always tell someone the best way for me to breach your data systems if the IT security folks are doing their jobs is to get some dirt on a staff member and blackmail them and have them get it for me, making those expensive IT security plans worthless.
• A plan is never done. Make amendments whenever a breach occurs and regularly as technology and organization changes occur.
• And finally, a security plan is useless unless staff are aware of the plan. Make sure they are aware of your plan, and refresh them on a regular basis (annually as a minimum).

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca

Conflict of Interest

Conflicts of interest are some of those issues that people generally know about but tend to fail to notice when they are actually presented with evidence that it is occurring. This is largely due to personal knowledge of the individuals and organizations caught up in a particular conflict, but it can also be caused by attempts by the organization or individual to hide any potential or existing conflict which can be used for gain.

Generally speaking, a conflict of interest is when an individual or organization has a relationship between two or more other individuals or organizations, where the relation to one could conceivably influence the interaction with one or more of the other organizations or individuals. Case in point would be the CEO who owns stock in his own company, trades off the majority of his shares prior to releasing poor economic results for the company. This is also seen in the public sphere where a public servant awards a construction job to her brother in law.

These examples are very obvious and often come under intense scrutiny when they occur, usually by the media for important contracts and major corporations, however they also occur in far smaller groups and circles, which can cost most organizations money and respect in their corporate circles.

Smaller level examples include the most frequent conflict, personal relationships, but also involve finances such as personal loans, memberships in clubs, prior or hidden criminal or ethically dubious acts and social pressures.

In any case, it usually falls to an organization's internal capabilities to keep track of conflicts of interest for its own personnel. Often times, these issues are investigated by HR staff at the time of short listing or hiring, when general checks are conducted internally or with the help of an outsourced HR firm or investigator.

The problem with this method is that things change over time. As people become more settled in a position or they develop professionally, they tend to branch out in terms of stock holdings, memberships and personal ventures. As these develop, the potential for conflicting circumstances to develop increases greatly. The person in the conflicting position usually will not identify the conflict to the organization, either out of ignorance, or more commonly as they recognize the potential benefit to keeping silent. Case in point is the computer software engineer who starts up a small business on the side providing similar services as he performs in his primary employment. Using the skills and resources gained from employment in the business, as well as valuable contacts and commercial opportunities to network, he can gain significant advantage by offering services below the corporate rate, often using resources from the company he works at to enhance his own business and reduce overhead. This scenario is actually one of the most prevalent forms of conflict of interest cases and costs companies major capital as it is often low level but very widespread.

A way for a company to keep on top of this is to run occasional updates to conflict of interest cases. Important times to look out for, particularly for C-suite executives and technical staff (engineers, scientists, etc), are periods of time when new staff are brought on, competitors make major acquisitions, supervisors become aware that staff are starting their own business and if any major bonuses are granted which could offer an employee the opportunity to make cash investments in personal business or stock acquisitions.

Additionally, depending on the type of business, regular checks should be performed on a regular basis (2-5 years) on all C-suite, executive management and major development and technical leaders to ensure that proper disclosures have been made. These checks should be performed out of the Board of Directors offices and can be done by internal staff if the capability exists, however using external organizations ensures the proper skill sets, impartiality in the investigation and allowing for greater flexibility without diverting staff from other tasks.

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca

Employee Misconduct

Employee misconduct is one of those catch all phrases which generally captures employees doing things they shouldn't, from misuse of assets to malingering to racial discrimination.

Despite the various disguises that employee misconduct can wear, the effects of misconduct can be felt throughout an organization, and can hit not only employee morale, but the bottom line a well.

What are some of the more common types of misconduct? Well, the list is quite extensive, however some of the most common are:

• Harassment
• Discrimination
• Misuse of company assets (such as using assets for personal use)
• Malingering (claiming to be sick/injured falsely)
• Violations of ethical practices
• Safety infractions
• Legislation and internal policy abuses
• And of course, everyone's favourites, plain old goofing off.

The effects of these activities, particularly those committed by supervisory and management positions (which are most likely to engage in most misconduct types), is to clobber morale within your ranks. Not only does it create a poison environment, it has the effect of spreading, as people see those in power getting away with poor behaviour, which in turn leads others to come to the conclusion or justification to engage in other types of misconduct, if not flat out illegal behaviour within your organization.

This can have an incredible impact on the bottom line as high employee turnover, losses and reduced productivity can grind your capabilities into the ground fairly quickly.

What is needed to effectively identify misconduct issues is to ensure the following are implemented in your organization:

• Institute an active whistleblower program which protects staff from repercussions when reporting instances of employee misconduct
• Ensure that complaints are investigated as soon as possible. if you do not have the capability in house (and most organizations do not), hire outside investigators to come in for complex cases such as harassment and malingering (particularly when unions are involved).
• Communicate the results of the investigation to staff and explain the disciplinary measures taken. Many companies balk at this for fear of coming off as the proverbial bug meanie, however this shows staff that you are committed to stamping out misconduct and that the rules apply to everyone equally....you'd be surprised at how well a firm and fair hand is viewed by staff.
• Take suggestions from staff and management on how to remedy a situation once the dust has settled. Bringing your staff into play gives them a sense of involvement in the wellbeing of your organization and gives them a stake in the future.

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca

Competitive Intelligence

Competitive Intelligence is often misconstrued as the corporate or national spy getting a visiting businessman drunk and then milking him for secrets, usually using a sultry honey pot to trap him and coerce him to spill the beans.

            The reality is that this method is actually called Corporate Espionage and it is highly illegal. This is not to say that it doesn’t happen, but it is best to stay away from people offering these types of services to a traded company.

            What Competitive Intelligence (CI) provides, is focussed research and data gathering skills used in open source intelligence methods to develop an intelligence package on a competitor or specific market subset which enables a company to develop and revise strategy to keep it at the front of a particular marketplace.

            As opposed to Business Intelligence, which is software and systems based market tracking technology, CI is primarily human driven and precise, designed to discover competitor strategies and trends ethically and intelligently to bring the most relevant data to your staff to enhance your corporate goals.

            CI can also be used in reverse, targeting your own company to detect leaks and clues your own competitors are trying to discover about your strategy, enabling you to shut down the leaks and protect your corporate planning process, allowing you freedom of movement in the marketplace.

            CI is a highly cost effective and efficient method for obtaining market data which can be used to protect your strategy and develop plans to offset competitor developments.

            Many private investigators have the ability to perform your Competitive Intelligence and investigations tasks, often remotely where the need for direct travel is limited by using a variety of online and real world resources to meet your CI needs. PIs maintain great flexibility for short term and long period deployments of intelligence resources to fit your goals. Contact one to find out more in your local area or abroad. The majority of service providers should be able to put together a solid idea of how they can help and work with your staff to target specific points or sectors to maximize your their, and your, efforts.

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca

Hiring A Private Investigator

I had the pleasure of taking part in the private investigations industry in Ontario, the CPI-O, annual meeting in Toronto last week. It was good to get together and talk shop with others in the industry, as well as a few beers off the clock, and get back to basics.

It was also good to go over some of the issues affecting the industry and talk about our collective qualifications and what it means to hire a professional Private Investigator (PI).

Many people do not think of hiring a PI on a regular basis as private individuals, however, business and law offices regularly will reach out to us to obtain services. While the exact nature of the service can vary as widely as corporate counter-intelligence to infidelity investigations, they all have one primary goal in common....to find needed information.

Regardless of whether you are interested in hiring a PI for any one of the three main lines of investigations: Domestic, Legal Support or Corporate, there are a few rules of thumb which you should look out for to make sure you are getting a professional versus some random guy with a Craigslist account, pretty much regardless of where you are in the world.

First off are the basics of a profession: agency licence, individual licence, insurance and belonging to some sort of professional organization. These requirements are law in most areas, and really ensures you will have at least a basic level of competence as you move forward in the selection process. The licences are obvious signs that they are operating legally, and insurance is usually a requirement of the licencing process, but you should also look at the professional organization. In Canada, it is a requirement to be compliant as an investigative body under the national privacy legislation. In other areas, as well as Canada, they tend to demand adherence to a basic code of ethics and professional standard to give you some piece of mind that your investigator of choice is acting appropriately, even if you aren't aware of the regulations.

Next, you will want to ensure your investigator is open about pricing, plan, the investigator on scene and rough timelines. I'll be honest here, investigations aren't cheap, that's why you never saw Magnum driving a Chevette. Going to a guy who promises dirt cheap investigations but then hides what the final bill is, or is evasive on an estimate, is likely not a good choice. A professional PI will be up front about pricing, should provide you with a clear estimate and advise if there is the potential for cost overruns if things go squirrely, which can happen. They should also be forthcoming about a timeline and plan for the investigation. If they cannot provide this to you with a service agreement to make things legit, you might want to avoid handing over that deposit (which usually is required for service from domestic clients).

Lastly you will want to ask about what your PI can do, how he or she plans on going about it and why they are able to do it. Beware a PI who claims they can do everything or they nod as you ask for them to insert a brain probe in someone's head. There are many things which aren't legal (depending on the jurisdiction/country). Hiring the sort who is willing to do these things is tempting them to just walk with your deposit, leaving you with no real recourse to recover your money...or worse, they will go ahead with it and open you up to third party liability if something goes horribly wrong. Also match up why they are qualified for a particular task. Many of us offer general investigations, which means we dabble in all types, but each of us has a particular skill we excel at. Its not to say that we can't do a particular job, just that you should ask why they can and how they will go about it. They should once again be open and honest.

That about does it for the general aspects of hiring a PI. The big part is, know a bit about the laws in your area and ask questions of your PI of choice. They should answer all your questions clearly, or get back to you soonest if they need to research a more obscure rule. And always make sure they are licenced in some way, and if no licencing exists, that they belong to a professional association.

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca

PI's, Privacy and Social Media

Social media has become an important source of info for many people. Social media companies themselves sell off our data, statistics and preferences for huge kickbacks from ad companies, more and more of which are becoming social media interfaces as well. Credit agencies use this info as well as they compile overall profiles of each person, which gets augmented by other info sources we sign away to get a cheap discount on something.

Then comes us...the PI. I love using social media as a source, however make note to never abuse it as a tool, which is an important distinction in developing these source types as opposed to merely thieving data to help push out products, as our investigations focus on legal data for the assistance in compiling a case for court.

People think that the biggest leak of info from social media that people can exploit is poor settings on privacy. While this info is indeed a goldmine for someone researching another individual, it often is not the only method.

A good investigator will look not only at what is plain and obvious, but will build link table s and relational charts on what is not there as well, plus look into second and third party affiliations to build a strong profile.

What people need to know on the privacy side though is how to keep data off of these pages which can harm them hen accessed by bad guys.

The first step here is to set a good password and not share your account info with anybody...and for the love of god change your password if you do and you break up with that person....immediately!

Next is always assume that all of your info can be shared online. Some sites like Facebook are pretty good at blocking out data thieves (of course only so that they are the only ones able to profit from it), but there are newer social media sites which can provide a ton of info, but are not yet mature enough to have a robust privacy policy and secure access points to user info.

Lastly, know who you are connected to and what they have access to. While I'm not here to lecture, I do not think that people need to befriend everyone who asks online to seem popular. These other people may not be as security conscious as you are, and once someone finds out you are associated to them, can be exploited to reveal info about you.

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca

Protecting Yourself Online

Online investigations are something we look at fairly often here in the office. Most often, the cases we look at are cyber harassment investigations and cyber-bullying in nature. These case types of course have been well publicized of late, particularly in the sphere of cyber-bullying, with heart breaking examples such as Amanda Todd, Jamie Hubley and Rehtaeh Parsons. Other major problems include identity theft which is increasing in scope yearly and encompasses financial and non-financial aspects and various hacking methods (which here will be a catch all phrase for system breaches of all types).

While the threat source on all of these problems can vary from schoolyard punks to co-workers to ex-lovers to unknown offshore hackers, the facilitator of these problems usually rests at the feet of the victim themselves. While I hope this is not a surprise to many, it is an unfortunate truth that there are still many, many people who fall victim to a wide array of online problems daily.

The main source that people gain access to information which should not be in someone else's hands is that which is freely given. That is, naked pictures to lovers, inappropriate jokes to friends and dark secrets to associates or forums when in all cases people think the information will stay safe forever. Obviously, this is not the case and highlights the unfortunate realities that the vast majority of these cases could be stopped by just paying a bit more attention to what we give out to other people and educating youth who have not yet seen the really nasty side of society to withstand potential pit falls.

The other main source of information getting out into the wild which can then be used against us is again the fault of the victim in most cases by using poor passwords. One just has to do a look at the top 10 passwords in the world to discover that even in the year 2013, the most popular continue to include 1111, 1234, password and the user's own name. There are programs out there which scrape e-mail accounts and then attempt to access them by using the top bad passwords out there. Password sharing is also a great source for a bad guy or girl to get their hands on a user account, as people assume that someone they are dating will be around forever or a co-worker who needs a quick access to a system will never use it against the victim.

True hacking actually comprises a very small amount of breaches as it requires quite a bit of skill and resources to pull off, which makes your average victim an unlikely choice for attack by complex methods. Usually the info was just out there for a keen eye to grab and exploit.

As such, there are some basic ways to protect and educate yourself and your kids (and the elderly as well who may not be as tech savvy as some). First and foremost, outside of the online world, be aware of sensitive materials given out. No duh huh? It seems easy at a glance, but you would be shocked at the types of graphic materials handed out by kids in school....as young as 10 and younger. This does still apply to adults as well and really comes down to knowledge of the reach people now have and the anonymity people can enjoy when a relationship falls apart to broadcast material given in confidence to a large and damaging audience. Next is passwords. Make them long, unique and use symbols to create something, not just the easiest thing to enter into the keyboard. Next, if you give out your password to anyone, change all linked accounts or those sharing similar or same passwords. People are lazy by nature and tend to use the same password or password family for multiple sites, a fact which is exploited by people looking to exploit you. Remove cloud storage access permissions if you suspect a breach of your files, as people may use access to one system to maintain access through a backdoor in another. Use up to date and well reviewed antivirus software. Even free antivirus can keep you secure from most threats as long as it is up to date and turned on to medium levels. The same goes for operating system software like Windows and Apple OS, which deliver periodic updates to patch known vulnerabilities. Finally, ensure you watch what you click, as the majority of spyware and system viruses are still delivered through e-mail where a person needs to click on a suspicious link to unknowingly download a virus.

Should you find yourself with information which has been leaked onto the net and is being used against you, contact local police. If the nature of the harassment is of imminent danger, they will be able to initiate an investigation. If it is of less immediate danger, they will open the file regardless, but outside resources will be requires to launch the investigation. Contact a Private Investigator if this level of investigation is needed. They will have experience tracking down the perpetrator, or at least locating the instances of harm being broadcast on the net to help shut them down. By and large, these investigations are classed as domestic investigations which require the investigator to have access to often embarrassing details before beginning. Ensure to interview your investigator in order to ensure you have an appropriate comfort level before intiating service. Visit us at www.elementalpi.ca if you would like more information, or visit the RCMP Internet Security site at http://www.rcmp-grc.gc.ca/qc/pub/cybercrime/cybercrime-eng.htm